Information on cybersecurity legislation (NIS2)
The Cybersecurity Directive (NIS2) was transposed into national legislation 8.4.2025. The objective of cybersecurity legislation is to strengthen the common level of cybersecurity in the EU and in the Member States in sectors critical to the functioning of society.
The electronic service of the NIS2 entity list is used to report information on blood establishments and companies that supply medicinal products and medical devices that are supervised by Fimea, which is required by the Cyber Security Act. By logging in, you can select the authorization and conduct transactions in the service. You can log in either via the link below or from the top right corner of the page.
E-submissions for NIS2 entity listAdditional information
Instructions for using the service: https://fimea.fi/en/supervision/supervision-of-cybersecurity-and-resilience/cybersecurity
Contact details related to the service: NIS2-CER@fimea.fi
Who is subject to the obligations?
Cybersecurity legislation applies to several sectors. Fimea supervises the implementation of the obligations laid down in cybersecurity legislation in certain sectors of health and manufacturing in Finland.
Entities supervised by Fimea in the health sector (Cybersecurity Act, Annex I):
- Entities involved in manufacture of basic pharmaceutical products
- Entities involved in manufacture of pharmaceutical preparations
- Entities involved in research and development of medicinal products
- Pharmacies
- Blood establishments
- Entities supplying and providing medicinal products and medical devices in accordance with the EU Directive on the application of patients’ rights in cross-border healthcare (2011/24/EU)
- Entities manufacturing medical devices considered critical during a serious public health threat
Entities supervised by Fimea in the manufacturing sector (Cybersecurity Act, Annex I):
- Manufacturers of medical devices and in vitro diagnostic medical devices
In addition, the obligations of the Cybersecurity Act also apply to entities designated as critical under the Act on the Protection of Infrastructure Critical to Society and on the Improvement of Resilience (310/2025), regardless of their size.
Essential and important entities
The obligations of cybersecurity legislation apply to entities that meet the criteria of either an essential entity or an important entity. The sector, size and criticality of an organisation affect whether it is an essential or important entity. Essential and important entities are supervised in different ways. Essential entities are subject to advance supervision and risk-based supervision. Important actors are only subject to risk-based supervision.
What are the obligations?
Registering for the entity list
Entities are required to notify themselves to Fimea’s NIS2 entity list within the timetable stipulated by the Cybersecurity Act.
Registration in the NIS2 entity list is subject to a fee, which includes a processing fee for the entity notification and an annual maintenance fee for the entity notification. The fees related to registration are based on the current decree of the Ministry of Social Affairs and Health on fees chargeable by the Finnish Medicines Agency.
Notifying changes
In the event of a change in the information submitted for the entity list, the entity must notify the change to the service without delay, at the latest within two weeks. Entities also have to submit a notification if they no longer meet the criteria of an essential or important entity or if the entity has ceased its activities.
Cybersecurity risk management obligations
Entities are required to implement certain cybersecurity risk management obligations. The Finnish Transport and Communications Agency’s National Cyber Security Centre is drawing up a recommendation on cybersecurity risk management measures.
Reporting information security incidents
Entities are required to notify the supervisory authority without delay of any significant incidents in their service. In Finland, it will be possible to submit a notification with the NIS2 notification application that is currently under development by the Finnish Transport and Communications Agency’s National Cyber Security Centre.
How is an essential entity defined?
Essential entity by sector and size
Essential entities include large companies operating in the health sector. The criteria for a large enterprise are met when a company employs at least 250 employees or has an annual turnover of more than EUR 50 million and a balance sheet of more than EUR 43 million.
Essential entity regardless of size
An entity can also be identified as essential regardless of its size. An entity is considered essential regardless of its size if one of the following criteria is met (these criteria might be specified with a government decree):
- The entity is the sole service provider in a Member State of a service that is essential for the maintenance of critical societal and economic activities.
- Disruption of the service provided by the entity could have a significant impact on public safety, public security or public health.
- Disruption of the service provided by the entity could induce a significant systemic risk, in particular for sectors where such disruption could have a cross-border impact.
- The entity is critical because of its specific importance at national or regional level for the particular sector or type of service, or for other interdependent sectors in the Member State.
Entities designated as critical
Entities designated as critical under the Act on the Protection of Infrastructure Critical to Society and on the Improvement of Resilience are considered essential actors. For entities supervised by Fimea, the critical entities will be designated by the Ministry of Social Affairs and Health during 2026.
Entities operating in several sectors
If the an entity is involved in several sectors and its activities are ones that partly match the definition of an essential entity and partly other activities, the entity is considered an essential entity.
How is an important entity defined?
Important entity by sector and size
Important entities include:
- Companies operating in the health sector that meet the criteria for a medium-sized enterprise. The criteria for a medium-sized enterprise are met when a company employs at least 50 employees or has an annual turnover and balance sheet of more than EUR 10 million.
- Companies operating in the manufacturing sector that meet the criteria for a large enterprise. The criteria for a large enterprise are met when a company employs at least 250 employees or has an annual turnover of more than EUR 50 million and a balance sheet of more than EUR 43 million.
- Companies operating in the manufacturing sector that meet the criteria for a medium-sized enterprise. The criteria for a medium-sized enterprise are met when a company employs at least 50 employees or has an annual turnover and balance sheet of more than EUR 10 million.
Information to be entered in the entity list
- Name of entity
- Contact details of the entity (address, email address, telephone number)
- Information about the entity’s sector
- Information on whether the entity is an essential or important entity
- Public IP ranges
- The European Union Member States where the organisation provides services covered by cybersecurity legislation (NIS2)
- Participation in voluntary cybersecurity information-sharing arrangements
Why is IP address information collected for the entity list?
Provisions on notifying public IP addresses to the supervisory authority are laid down in the NIS2 Directive, the Cybersecurity Act, the Information Management Act and the Act on Electronic Communications Services.
Public IP address data can be used to proactively detect vulnerabilities, cyber threats and unsecure configuration settings in the communication networks and information systems of organisations subject to cybersecurity legislation.
The CSIRT unit of the Finnish Transport and Communications Agency is responsible for measures related to vulnerabilities and cyber threats in Finland. The CSIRT unit has the right to receive information in the entity list from the supervising authority.
Legislation
Cybersecurity Act (only in Finnish and Swedish, opens in a new window)
The Act on the Protection of Infrastructure Critical to Society and on the Improvement of Resilience (only in Finnish and Swedish, opens in a new window)
NIS2 Directive (opens in a new window)
CER Directive (opens in a new window)
Information Management Act (opens in a new window)
Act on Electronic Communications Services (opens in a new window)
Where can I get help if I encounter problems?
If you need support for using the service, contact NIS2-CER@fimea.fi.
Click the button below to find answers to frequently asked questions.